UCLA Health System cyber attack affecting 4.5 million patients

It has emerged this evening that UCLA Health System has been the victim of a criminal cyber attack affecting 4.5 million patients. The attackers accessed a computer network that contains personal and medical records.

Clinton Karr, senior security strategist, Bromium

“Healthcare information security is in critical condition. We have seen report after report of millions upon millions of records breached this year. According to the Department of Health and Human services, more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the US population. These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation.”

Gavin Reid, VP of threat intelligence, Lancope

“This is another in a long series of recently discovered compromises to medical institutions  Carefirst, Anthem, Bluecross and now the UCLA HS. At this point we probably have more breached medical databases than ones that haven’t been compromised. The problem is that no one wants to spend additional money – and at hospitals you better be spending that money on a new medical equipment or something that saves lives.  The hospitals have budgetary needs that impact directly on patient care and lets face it real-life-death situations (better staff, better equipment). The move from paper records in filing cabinets locked away in rooms to online accessible record keeping has been fueled by cost savings and by the increase in medical hardware/software that can take feeds of this data and update automatically. Hospitals have mass adopted online record keeping but haven’t seen themselves as a target like a bank.  The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response.

1) Why is this growing?

Three reasons

Large scale attacks to hospital patient records data bases along with areas that are doing medical research can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in more common data theft scenarios. The last and increasingly common one is where medical identity theft is used to create fraudulent insurance claims using a stolen identity.

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know.  Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”